State Board of Elections 

140 Walnut Street, Frankfort, Ky 40601 


State Board of Elections Board Member, 

I am writing this letter to address concerns I have been having here at the State Board of 
Elections over the past year or so. Certain situations have occurred that have raised red flags for 
me, but I was unsure of how to have them properly addressed. As issues have piled up, I have 
become trapped in a feeling of being stuck in quick sand. I feel very overwhelmed trying to figure 
out what exactly my responsibilities are both by statute and by the expected standard operating 
procedures inside of this agency. 

You know by our limited monthly interactions that I am retired military and am currently 
serving as the assistant director, but you may not know much more than that. Therefore I would 
like to provide you with some background that explains my past occupation, so that you may 
better understand how I conduct business in my professional and personal life. 

I served as a Reconnaissance and Surveillance First Sergeant for the last 10 years of my 
22 year military career. I led small teams and larger organizations ranging in size from 12-1000 
people with a wide range of backgrounds (military, civilians, contractors, and foreign nationals). 

I had extensive experience in combat operations, peace keeping operations, contract 
management, and logistics integration. Our mantra was to never leave a man or woman behind, 
whether it is on the military battlefield or in the civilian sector. I continue to live by the Army 
values that were instilled in me at a young age: loyalty, duty, respect, selfless service, honor, 
integrity and personal courage. I have always tried to do the hard right over the easy wrong. I 
am a purple heart recipient, I own two Bronze Stars and eight Army Commendation medals, one 
with Valor. 

The issues I am about to share with you would have been easy for me to just look the 
other way, but I feel it is my duty to try and protect the agency that ensures the sanctity of open, 
free, and fair elections. I have been at times belittled, bullied, and flat out discounted during my 
time with this agency by what I always considered to be my higher chain of command. This job 
has become more stressful this last year than any other job I have ever had and it's an off-election 
year. I hit several lEDs in Baghdad during the surge of '06 and have been wounded in combat, so 



that is saying something. The stress is not due to normal operations at the State Board of 
Elections. My wife on many occasions has asked me to resign and take a job closer to our home, 
near Ft. Knox and just be done with it. 

I have outlined several major issues in this document that I feel need to be addressed. I 
would have come to you sooner, except I only had theories. It has taken time for these issues to 
fully develop and for me to analyze the situations created by these issues. I feel I now have 
enough information to give you a more accurate picture. I want to explain to you the issues that 
have made me uneasy and the steps I have taken to look into them. 

I was told by Maryellen Allen upon accepting the Assistant Director position that we are 
not to discuss anything directly with the Board members and that if we needed to send them any 
correspondence, it should be sent to Lindsay Thurston first, for vetting. These same parameters 
are in effect for any correspondence or documents that need to go to all 120 County Clerks. I 
asked why this was and she stated that was the directive from the Office of the Secretary of State. 
I believe this is to keep everyone compartmentalized, to better control any information that is 
needed for decision making processes. 

Therefore, due to having no clear channel to discuss my concerns, I put myself on the 
record at the Executive Branch Ethics Commission back in June, 2017, regarding the concerns 
outlined in this document. I wanted a second opinion of my concerns to ensure I was not making 
a mountain out of something that maybe was only a mole hill. When I filed the complaint, I 
became a protected whistleblower under KRS 61.102(1). The SBE and its staff are currently being 
interviewed by the Ethics Commission's investigators on the filed complaint, which I have listed 
in the attached documentation. I have felt that my employment has been in jeopardy for the last 
year, due to my questioning of directives that have been given to my agency by the SOS and her 
staff. 


It is my belief that sometime in the beginning of August the Secretary of State and her 
assistant, Lindsay Thurston, were sent letters by the Ethics Commission informing them that they 
were under investigation. Around this same time, the SOS and her staff started to distance 
themselves from the SBE. The SOS staff up until this time was involved in every facet of 
operations at the SBE. If there was something that we as an agency felt was not appropriate or 
would not serve as a value to our agency, we were dismissed at every turn and told that it was 
happening, no ifs, ands, or buts. 

By statute at KRS 117.025(1) and (2) (Attachment #8), we are supposed to have a Director, 
Assistant Director, Training Officer, and General Counsel to carry out our duties. One of our 
biggest problems is that we have not had a general counsel since I started working here. If we 
have a question as to whether we should or should not be doing something dictated to us by the 



SOS, then we must consult the SOS general counsel. You can guess what the answer always is: 
we should do what the SOS is directing us to do. We also share an HR person with the SOS. It has 
been made clear to me over the last year that any staff action that we are discussing inside of 
our agency must first be run by the Assistant SOS. Two weeks ago our receptionist retired due 
to the proposed pension changes. We called to set up a meeting with Michelle Starkweather to 
discuss the vacant staff position and what we planned on doing in regard to it. Michelle 
Starkweather told us in the meeting that she would have to run this by Lindsay Thurston to see 
if she would be alright with it. The SOS office has effectively strangled the State Board of 
Elections, essentially making it just another branch of the office of SOS. I'm pretty sure this is not 
how the statute intended this office to be run, but I could be wrong. 

It is my professional assessment that the SBE is currently operating in a toxic work 
environment. I believe this has been caused by the continual circumventing of the SBE Directors 
by the SOS and her staff. The SBE directors and their staff are not allowed to carry out their 
duties as prescribed in the statute because of the constant micromanagement occurring by the 
SOS and her staff. It is the complete control exerted by the Secretary of State and her staff over 
SBE that has directly led to the concerns I have laid out in this document. In my opinion, the only 
way these problems can be corrected and avoided in the future is if the SOS office is completely 
cut out of the SBE's daily operations. This starts by hiring an SBE general counsel and hiring or 
upgrading a current staff position to an HR position. These steps ensure that the SBE is able to 
act independently of the SOS office, and to be held accountable by the entire Board, rather than 
only by the SOS. 

While I realize the following descriptions of events are lengthy, I ask you to please give 
them a full review so that you may better understand why I am so concerned about the integrity 
of this agency. Everything below has been turned into the Ethics Branch. 


Matthew L. Selph 
Assistant Executive Director 



WEBSITE JUNE 2016 


SBE has one massive primary system, the Voter Registration System. VRS is used daily in all 120 counties. 
VRS is also accessed in real-time by Circuit Clerks across the state every time a KY Driver's License 
application is filed. 

There are also six separate database-driven web sites, including Online Voter Registration (OVR) and the 
Voter Information Center (VIC). 

All of these complex data systems must be monitored, maintained and upgraded on a continuing basis. 
All of these systems must also maintain Federal data integrity and security standards. Our IT team 
consists of two full-time and one part-time contract software engineers and one IT Specialist. 

With so many state agencies depending on VRS remaining available, system architecture plans are made 
years in advance to ensure that VRS does not fail. Detailed planning and scheduling is performed weekly 
by our engineers, with management oversight, to ensure that mission-critical maintenance, new 
functionality and bug fixes are all prioritized and implemented as quickly, and seamlessly, as possible. 

Failure is never an option for VRS, but it is especially critical that VRS remain stable during election 
cycles. Therefore it is crucially important that any serious bug fixes, major new system functionality, or 
business process changes occur only during off-election periods. 

The three hour planning session we conducted on May 26, 2016, is typical of our development staging. 
We identified the time we had available before the General election cycle began and then we 
determined what needed to be accomplished during that four month period. 

It was shortly after the three developers had begun to work on the projects outlined in the May 26 
meeting that Tom Watson and Steve Spisak were diverted directly by the Secretary of State's office. 
Bradford Queen and Matt Daley had been tasked with overseeing a new project that SBE's developers 
were told was top priority; to start work on a new web site for the SBE. 

Neither I, nor my director, was notified of this proposed project or that our developers were being 
directly tasked by individuals from another agency. 

Upon our discovery that our developers had been told to put our system fixes on hold and instead to 
focus on a project that I had previously investigated as important but that was most definitely not 
mission critical, I notified Matt and Bradford that our IT team was needed for critical SBE VRS work that 
had been already delayed for months simply due to a lack of time. I also explained how important this 
particular list of pre-scheduled work was, especially in light of the forecasts for a larger than usual 
Presidential election. We also discussed what the ramifications could be if SBE personnel didn't 
complete the assigned work in the short window of opportunity that was available. I was then told by 
Bradford, "You know the deal, she (SOS) wants it to happen, so it's happening". 

After thinking all of this through and discussing their work loads and the importance of the tasks 
identified in late May with the both the IT staff and my director, I made one last attempt to halt the 



work now being done on the new SBE website. But again I was told that it was useless to fight it, and to 
"do your best" to get the system corrected using only our 3'''' developer. 

I worked over the next two months without the assistance of two crucial team members, both of whom 
were now focused primarily on trying to meet a very rushed SOS imposed deadline for the new site. The 
developers were given a timeline of 7 weeks or so to complete the work on the website. They 
completed the work on the week and turned it over to the SOS staff. To my knowledge, it was never 
discussed again. I'm not sure of the reason, but the website was never published and is still sitting on a 
server collecting dust. 

During that same period of time, our one remaining developer and I were able to complete some of the 
items on the May priority list, but not all of them. Even the tasks we did complete were never 
thoroughly tested, because testing takes people and time, and we had neither. This eventually turned 
into an issue; just as our IT team had feared. 

Once the registration books closed we found that we had missed something in the work flow of the 
registration process. Because of this, our system encountered a failure that resulted in over 10k 
registrations being temporarily lost somewhere between the COT and SBE servers. Even though we did 
eventually catch this issue on the last day of registration, it was an avoidable bug which testing would 
have exposed. This one single misuse of time and resources ended up causing a ripple effect across the 
state with new registrations popping up in every county with some having hundreds to process after 
they thought they had already been completed. 

There were other problems created by our team not having the time to address the issues they had 
previously identified as critical, too many to detail. Although our systems are reliable and robust; they 
are also vastly complex and complicated systems. 

Bottom line? Our overworked staff does NOT have the time for frivolous, spontaneous, ill-planned and 
poorly executed side projects. 

To this day I'm not sure why the website became a sudden emergency priority between our busiest 
Primary and General Election in recent history, but it did. It caused us to not be able to complete work 
that desperately needed to be completed, all for a website that was then never used. 



VRS Audit Feb 2017 


In the beginning of February we were notified by a county that a polling location had been deleted from 
the VRS. This was alarming since only one SBE staff member deals with polling locations and this change 
had to have happened from within the VRS system. 

In an effort to identify how this may have happened, I investigated our VRS user list and their access 
levels. I was surprised to find that there were over five SOS employees who had VRS accounts and that 
they had full "Admin" rights. 

This seemed more than odd to me, since it had never been discussed that they would have access to the 
VRS system at all. I checked with IT and was told that they thought they might have been given access to 
monitor the Complaint System on Election Day. I was also informed that the Complaint System should 
probably be removed from within the VRS system so that it could have separate access controls and that 
really it didn't belong in the system at all. This was an adequate explanation and didn't raise any alarm 
bells with me or the staff. 

We later discussed the deleted polling location mystery during a staff meeting with Mary Sue Helm in 
attendance. Sometime after the meeting, Mary Sue sent me an email saying that she had looked at her 
access and found that she had "Read only", so it couldn't have been them that had deleted the polling 
location. I replied back to Mary Sue explaining that while investigating I had found other SOS employees 
that also had VRS access. I also noted that the reason she now had "Read only" access was because 
previously, somehow they had all had "Admin" access and that I had changed them to "Read only". 

Considering the situation settled, I forgot all about it until a week or so later when discussing how we 
might keep tighter controls on our VRS access, my senior developer told me that from now on all access 
changes had to be approved by him and/or Maryellen Allen. When I questioned him on his reasoning for 
that decision, he explained that he and Maryellen had recently been called over to the SOS office for a 
very serious meeting with the Assistant SOS and that he wasn't supposed to discuss it further. 

In an effort to better understand what this was all about I asked him to tell me what he could. He 
explained that at the meeting Lindsay had mostly focused on speaking very seriously with Maryellen but 
that she had also expressed concern to him about who had access to the system and what that access 
level was. She had also asked him if he knew how SOS personnel had gotten access and why they had 
"Admin" rights. He explained that it had never occurred to him until the polling location investigation 
that SOS personnel would have ever had access to the VRS and to his knowledge they previously had 
not. 

In preparation for the meeting, he had also been asked to provide a spreadsheet containing all SBE/SOS 
staff that currently had VRS accounts and their access rights. During the meeting, they reviewed this list 
and he was instructed, by Lindsay, on who to remove and what access levels to give to those remaining. 
Even though he was discussing it with the Assistant Director, he remained uncomfortable because he 
had been instructed to personally enforce system access in the future and not to discuss it further. 

I found this all to be very curious and started investigating how this could have happened. I talked to 
Aaron Gabhart and Keith Miller, the staff members that had previously authorized all VRS access. They 
were both adamant that they had never granted any access to anyone on the SOS staff. 

As I continued looking into this issue, I finally discovered that Steve Spisak, who is on loan to us as a 
part-time developer from the SOS, was told by Lindsay Thurston to ensure they had access to the 



Complaint System for Election Day. Since the SOS staff is in a different user domain, they could not be 
granted access through the normal routes and would have to be tunneled in directly through some 
other manner. I knew that the SOS staff had access to the Complaint System, but had previously 
assumed that they had been given access through our normal protocols. It had not been alarming to me 
that Steve had given the SOS staff VRS access for Election Day complaint system monitoring since it was 
necessary on Election Day and the Complaint System had not yet been moved out of VRS. 

What was unsettling is the overreaction of the SOS office once I discovered that SOS staff members had 
VRS access with "Admin" rights and had them set to "Read only". It is also concerning that once again; 
very important decisions were being made outside of our established agency protocols. This time, even 
our security measures for VRS access were circumvented by SOS staff, (which led directly to the 
confusion over access as there was no way for us to track what Steve had done at their request). 

Even after finding out all this information, I still wasn't sure why this had escalated so quickly and blame 
assigned to SBE. I was told later, by a staff member that has been here for several decades, that the SOS 
staff has never had access to the VRS system and that he thought that there had been an opinion given, 
(Attachment #2, pg4) by the Ethics commission on the matter and that might be why this has become 
the issue it has. I don't know, but I am forced to conclude that this could also explain why the Director 
and the SBE senior developer were called directly over to the SOS office under strict confidentiality? 

Whatever the actual answer is, the SOS staff logins continue to this day. I have attached a sample from 
our Voter Registration System logs (Attachment #2b) of the continuing SOS staff access from 3/17 to 
today. 


CyberScout Feb 2017 

A company by the name of CyberScout was introduced by the SOS during our February Board meeting. 
We were told that the company had been discovered by the Secretary herself at a National Association 
of Secretaries of State (NASS) meeting. 

During the meeting, CyberScout gave a brief presentation of services that they offered. It is important to 
note that the Board also went into a closed session, for a personnel action, during this meeting. At the 
end of the meeting, the Secretary made a motion to continue to engage with CyberScout and the 
motion passed. 

We were then directed by the SOS to investigate the CyberScout organization and determine if the SBE 
could use their services. We assigned this to our senior developer, Tom Watson, since he has the 
technical expertise on what we should be looking for in a cyber security company and had already been 
engaged in discussions with several leading security firms for some months previous to this meeting. 

After a week, Tom briefed Maryellen and me on his CyberScout findings. Tom showed us what their 
background was, (data breach insurance and public relations remediation), and what services they 
currently offered. Tom's opinion was that CyberScout seemed to be new to both practical security 
methodologies and working with the public sector. From their own documentation, and the fact that 
they had only recently introduced their new security auditing services, (after renaming their company to 



CyberScout from IDentity Theft 911 in early 2017), it seemed obvious that they didn't have the hands- 
on, real-world security experience or expertise that we were seeking. Maryellen and I then decided that 
we should continue to pursue a contract with Trustwave, one of the companies that our IT team had 
also been investigating. 

In the beginning of March, Maryellen and I met with Lindsay to discuss upcoming SBE projects. During 
this conversation we discussed CyberScout. We told Lindsay that we had looked into CyberScout and 
that we did not want to pursue them for a contract and the reason why. After the conversation Lindsay 
told Maryellen and I that she would pass the word up the chain and not to worry, they would back off 
the CyberScout project. 

One week later the March Board meeting was held. At the end of this Board meeting, the SOS informed 
the Board that the SOS and SBE had decided to move forward with CyberScout and there would be more 
information to come. This news was a complete surprise to us, since we had decided as a staff that this 
company did not offer the level and type of security services that we needed, and had been assured by 
Lindsay not to worry about it. 

A short time after this, our financial officer, Katrina Beckley, came to me with an issue. Katrina told me 
that she had received a call on her personal cell phone from Lindsay asking her to approve a contract 
payment for CyberScout. 

Katrina asked me if I remembered a Board vote being taken by the SBE Board to authorize a contract. I 
told Katrina that I didn't remember a vote being taken. I went and pulled up the Board meeting minutes 
to ensure there hadn't been something I may have missed. The Board minutes reflected no such vote 
and I relayed this to Katrina. 

Katrina came back to me stating that she had received another call from Lindsay asking her again to 
authorize the payment. Katrina expressed to me that she did not feel comfortable with Lindsay calling 
her directly, asking her to do this. 

Katrina explained that there is a protocol for these types of actions and that she needed Board minutes 
and Maryellen's authorization for it to be completed. I went and asked Maryellen if she knew what was 
going on with the CyberScout contract, specifically a contract authorization and that Katrina was 
receiving calls from Lindsay to authorize the transaction. Maryellen was surprised and said "no", she had 
no idea what was going on with the calls from Lindsay and that she would call her to try to find out. 

I was not in the room for the call, but after the call, Katrina and Maryellen told me how the conversation 
went. This is what I was told: The call was on speaker to Lindsay Thurston. Maryellen asked what was 
happening with this CyberScout contract approval. Lindsay told Maryellen that the SOS office had sole 
sourced (Attachment #3) the contract and that we needed to go ahead and approve it. Maryellen then 
asked about how it was sole sourced and who sole sourced it. Lindsay replied that there was no need for 
us (SBE) to worry about the sole source documents. Maryellen then told Lindsay that we could not 
authorize the contract without a Board vote, reflected in the Board minutes. Lindsay replied that the 
Board had voted on it and again told Maryellen to authorize it. Maryellen then explained that we had 
looked at the Board minutes and there was never a vote taken. Lindsay then said that the vote had 
happened when the Board was in closed session. At this point, Maryellen had Katrina leave the room 
and continued the conversation in private. 

After the phone call was finished, Maryellen told Katrina that she was to authorize the $304,000.00 
contract. I asked Maryellen again what was really going on and did we at least have a scope of work 



document or contract terms? Maryellen said she had none of those things, but was told by Lindsay to 
"authorize it or else". I asked Maryellen what she thought, "or else", might mean. Maryellen told me she 
was not exactly sure, but she took it to mean that she would be fired. 

At this point, I reached out to a few Board members in an effort to understand what was occurring. I 
asked if there had been a Board vote during the closed session. I was told that "no", there was no such 
vote during a closed session. I asked if the Board knew that a contract was being authorized and was 
again told "no", as a matter of fact they were waiting to see what the scope of work and cost was going 
to be. 

Upon learning these distressing facts, I then tried to stall the authorization for a few weeks to see if I 
could find out what was happening with this contract. After trying to pursue many different avenues, I 
came to the conclusion that there was nothing more I could do about it and that this contract was going 
to happen. 

Near the end of April, Maryellen was attending an election conference in Texas. During this time, Tom 
Watson and I had a meeting with Lindsay to discuss CyberScout. We carefully laid out our concerns and 
explained that as an election system, we face a uniquely daunting task in today's threat-filled 
environment. 

We reminded her that our IT team has been working with both the FBI and Homeland security for 
months on these very issues and that their recommendations were to pursue "world-class protection", 
provided by industry leading companies with the size, experience and highly sophisticated equipment 
needed to get our election data secured as quickly and robustly as possible. We were also in continuous 
discussions about our specific security needs with David Carter, the Chief Information Security Officer 
(COT CISO) for Kentucky. All of these organizations were pointing us toward highly sophisticated, 
specialized equipment managed by teams of certified security specialists. 

We explained that even though we do not have the budget, we are working with all of these 
organizations in a continuing effort to implement as many of the recommendations as possible. We 
reiterated that the entire IT department was in solid agreement that for our specific needs, a "security 
audit" from CyberScout would be a waste of our time and money and that it would provide very little, if 
any, of those specialized security services. 

Lindsay replied that it was a "done deal" and to "move on". Unbelievably, she then asked us, "Why don't 
you want an audit, what do you have to hide"? 

This was a stunning statement for me and I quickly realized that if I were to lobby against this anymore, I 
would be classified as someone trying to hide something. 

Lindsay then went on to tell me that I needed to pull an RFP for EPoll books out of procurement. The 
RFP had been over there for weeks waiting its turn in line to be proofed. I asked why we would want to 
pull the RFP back and explained that if we did this it would put us a month behind our proposed 
timeline. Lindsay said she needed to make some technical changes. I asked her what changes 
specifically, since it had already been approved by COT? Lindsay said again that she just needed to make 
some changes to the RFP. I pressed her on it, because Lindsay has no experience with poll books, let 
alone technical issues. Lindsay pushed a document to me to look at, and then said that she needed it 
back. I felt something was suspicious about this and took a picture of it so I could analyze it for more 
information later. 



(Please refer to E-Poll Books - May 2017 for more information regarding Attachment #4.) 


The CyberScout contract was finally approved by finance. At the very least I was able to get the contract 
budget terms changed. The contract was set up by the Office of the SOS and finance to pay CyberScout 
$150,000 for the month of June 2017 (end of fiscal year 16) and an auto renew payment of $150,000 for 
July 1» (fiscal year 17). I had the end of year 16 combined with 17 for a total of $150,000, so all they will 
receive this year is $150,000, instead of the agreed upon $304,000. 

CyberScout arrived at the State Board of Elections offices in June for a preliminary meeting. The entire 
SBE staff met with four CyberScout staff, Eric Hodge, Harri Hursti, Brian Huntley and an intern. The 
meeting for the most part was uneventful, but one statement stood out to me. CyberScout said they 
have done work in Ohio. I know the assistant director of elections in Ohio and asked him if he knew who 
CyberScout was and if so, how did they do up there? The assistant director would eventually write me 
back saying he had never heard of them, but would ask his staff and reach out to some of his local 
jurisdictions. 

The meeting continued with CyberScout asking us vague questions about what we think they should be 
doing while here. At the conclusion of the meeting they outlined four objectives that they had gathered 
from the meeting and would focus on those for the duration of the contract. Our IT staff engaged 
directly with them for hours and hours trying to understand how they were going to "assist" us with our 
security needs. Even after weeks of working with them, we are all still unsure of what it is they doing. 

The assistant director of Ohio eventually returned my text and told me that he had checked with the 
Ohio SOS staff and his election staff and no one had heard of CyberScout. He asked me if I had said that 
CyberScout employed a hacker. I said yes and he is actually in my conference room at that very moment. 
He then sent me an article to read about an upcoming conference in Las Vegas called DEFCON. He said 
that Ohio had been warned to be on the lookout for hackers and any type of unusual hacking attempts 
on their systems. 

I read the article that outlined what DEFCON was going to be and asked Hari Hursti if he knew anything 
about DEFCON. He said "not only do I know about DEFCON, I am the co-founder of DEFCON". I couldn't 
believe what he had just told me. I passed this information up the chain to ensure everyone was alerted 
of the danger of having this "ethical" hacker inside of our building about to embark on an internal audit 
of our VRS. The SOS office replied back later that day that they already knew this information and to 
continue on. I sat there stunned. 

At this point we just tried to make the best of it and hoped at the end of this contract we might get 
something of use out of it. We had a few more teleconferences with them that always seemed to go 
nowhere. Our IT staff rapidly became even more concerned as the CyberScout team exhibited no 
interest in, or knowledge of, security devices or the security layering of applications. Even though asked 
repeatedly for information on these crucial areas, neither was ever addressed. 

Right from the start, CyberScout reported directly to Lindsay Thurston, and they still do to this day, even 
though they are under contract with the SBE. The few sparse written updates SBE has received are 
virtually unreadable. They consist of vague concepts and organizational notes with virtually no actual 
meaning. 

In the meantime, Lindsay had instructed Maryellen to coordinate a CyberScout visit with two counties. I 
asked Maryellen if the counties were covered under some sort of non-disclosure agreement with 
CyberScout. I was told that no, they were not covered. 



I suggested that we might not want to call clerks and arrange meetings for a company that wants to 
hack voting equipment without assurances of complete privacy and secrecy of the findings. Maryellen 
agreed but said that she had been told to do this by Lindsay and that if she didn't it would be considered 
"insubordination". 

Maryellen arranged the meetings with the counties and the counties accepted the visit. I felt I was in 
between a rock and a hard place at this point. I knew the counties agreed to this visit because they knew 
we would never send anyone to them that would put them in any type of jeopardy. I decided to call 
those counties and explain a little bit more about the audit to them and suggest that at the very least, 
they needed to make CyberScout sign a NDA. 

To understand the full scale of what is happening you would have to look at the few scattered and 
confusing documents that they have produced and speak to the SBE staff that have been forced to work 
with them. Maryellen and I have insisted that our IT team try to get something of value from CyberScout 
and continue to cooperate in a good faith effort. But at the end of the day, there just hasn't been any 
tangible result to their "audit" at all. 

It is important to look at the original sole source document date that was sent to finance (Attachment 
#5). It appears that this document went up to be approved the day before the February Board meeting 
where they were first introduced. 

I am unaware if this document has any importance, but feel it at least needs to be looked at by others 
that may have more insight on it (Attachment #6). 

During the CyberScout sequence of events, I couldn't shake the feeling that something was very wrong 
with this contract. I asked many questions of many people and decided that I needed to go on the 
record with my concerns. I went to the ethics branch and filed a complaint which officially made me a 
whistleblower. My complaint was reviewed by the ethics branch board members. An active 
investigation is currently ongoing. 


E-Poll Books-Proposed $5.5 million contract - May 2017 

In January of 2016 I was tasked by the SOS to spearhead an ePoll book pilot program. I was told to find a 
vendor that would be willing to come to Kentucky and let us do an ePoll book pilot in multiple 
counties. Over the next few weeks I reached out to several vendors to see if any of them would be 
willing to do a pilot program for Kentucky. 

Only one vendor, by the name of Tenex, volunteered to participate in the pilot program. After several 
months of working together, we successfully conducted an ePoll book pilot in 6 counties for the primary 
election of 2016. 

I was again tasked by the SOS the following September to see if Tenex would also participate in a 
general election ePoll book pilot program. I reached out and Tenex again volunteered to provide ePoll 
books for the same six counties for the general election of 2016. As both pilots were a complete success, 
it was decided by SBE to move forward with the ePoll books RFP process in February of 2017. 

During the next month, I finished the first draft of the RFP. All through this process, I was in contact 
with the Finance Cabinet's Procurement office and followed recommended process accordingly. It then 




took many weeks to get the RFP moving because Finance had to perform several preliminary checks, 
with multiple agencies, that needed to be completed before the RFP could be put out to bid. 

Once their requirements were all met, I sent the RFP draft over to procurement so it could be assigned 
to a procurement officer. There were only two procurement officers on staff at the time, so there was a 
lengthy list of RFPs in front of ours. It then took our RFP two more months to move towards the top of 
the list. 

In April, I was notified by Lindsey Thurston that the RFP needed to be pulled out of procurement. I 
asked Lindsay what this was about and why it would be necessary to pull it out of the procurement 
process. Lindsay told me that she wanted to make some "technical changes" to the RFP. I asked her 
what "technical changes" since it had already been through the COT technical approval process. Lindsay 
stated that she "just needed to make some technical changes". 

I explained to her that if we pulled it out of the procurement process that we would be at least another 
month behind, and that each month we wasted would put us up against an impossible implementation 
deadline. Lindsay then handed me a document, while talking to Tom Watson, to summarize the 
technical changes that she needed to make. When I looked at the document, I realized that CyberScout 
was on its heading. I knew that CyberScout was not approved at this time to do work in Kentucky since 
finance was still trying to approve the contract, so I took a picture of the document. (Attachment #4) 

Later that day, I was thinking all this over and questioning why Lindsay would have any "technical 
changes" to make to the RFP when I realized that it had probably come from CyberScout. They had 
already been doing consulting work for the SOS on the ePoll books RFP even though they were not on 
contract. 

As the primary POC for the RFP, I had a very real fear that this uncontracted vendor might be working 
with an ePoll book vendor. If this were the case, it would jeopardize the ePoll book RFP we had just 
spent a year working on. 

In spite of my worries, I pulled the ePoll book RFP from procurement and sent it to Lindsay like she had 
asked. Lindsay then kept the RFP for 8 more days. During those 8 days, the chain of custody of the RFP 
was broken and I now had no idea where it went, or whose hands had been on it. 

After Lindsay returned the RFP to me, I looked it over and realized that there had indeed been changes 
made to the technical requirements, just as I had feared. Flaving no choice, I took the RFP and sent it 
back to procurement again. The RFP sat at procurement for a few more weeks until I received an email 
from Nikki James who had been assigned as the procurement officer for this RFP. She explained that all 
further communications concerning the RFP would be only with her. 

That same Friday, Nikki sent me another email saying that the format of the RFP now had to change to 
the new fiscal year 2017 format. I then sent Lindsay a note saying that the RFP had finally been assigned 
to a procurement officer and that the procurement officer also said that the format had to be changed. 

I replied back to Nikki James and told her that I was in training on Monday but would get it back to her 
with all of the changes on Tuesday. On that following Tuesday afternoon, I sent the RFP back to Nikki 
with the required changes. Nikki sent me an email back asking if the RFP I had sent was the one to 
accept, or was it the one that Lindsay had sent her the day before. I was unaware that Lindsay had also 
sent Nikki an RFP and requested that Nikki send me that copy so I could see what Lindsay had sent to 
her. 



Nikki sent me the RFP that Lindsay had sent. The RFP had some slight discrepancies and I told Nikki to 
use my copy. The next day, Wednesday, I was sitting in my staff meeting and received an email from 
Nikki James supervisor. The email was sent to me and Lindsay, and it was asking which one of us was the 
POC. I replied back that I was the POC for the SBE. 

Lindsay replied back within the hour stating that she was the POC. After reading this email, I went and 
talked to Maryellen and asked her what was going on with the ePoll book RFP. She read the email chain 
and then told me that she had no idea what was going on with the RFP and that she would call 
Lindsay. During this call, Lindsay told Maryellen that she was the POC and that she would come to our 
office later to explain why. 

Lindsay came to our office the following day, Thursday, for a meeting to discuss ePoll books and 
CyberScout. During this meeting Lindsay stated that since I had been in charge of the ePoll book pilot 
program that she was removing me as the POC so as not to jeopardize the RFP because of conflict of 
interest. 

Lindsay stated that she knew it was their fault that I had to work with a vendor for the pilot, but 
nevertheless, it could be construed as a conflict of interest. I was ok with this after talking it over with 
her, but told Lindsay that someone in SBE should be the POC and it should probably be Maryellen. This 
idea was turned down by Lindsay and she stated that she would remain the POC. Maryellen and I talked 
about it and Maryellen also agreed that she should be the POC, but was told we were done discussing 
the subject any further. 

At this point Lindsay told me not to have any more contact with vendors and also gave Maryellen and 
myself an order not to discuss ePoll books with any county clerks. If county clerks called me with a 
question, I was to tell them to contact Lindsay. I was concerned that if I did this, the county clerks would 
lose faith in our agency on this project and slowly distance themselves from it. I complied with the 
directive while still trying to do my job communicating with county clerks on other issues. Even though 
we had not missed any county clerk conferences in over two years, Lindsay also directed us that we 
were not to attend any conferences. I argued against the wisdom of isolating ourselves from the county 
clerks association, but was told that the decision had been made. 

My fear with Epoll books is that it was taken away suddenly after CyberScout became involved. Nothing 
about the RFP after it was taken by Lindsay has been discussed with anyone at the SBE in detail. The 
selection panel to choose E poll books was comprised by Lindsay and was made up of 2 SOS staff 
members, 1 CyberScout staff member and Maryellen and no county clerks, as was originally agreed on. I 
was then told by Maryellen that Lindsay stated to her that the panel was selected by Nikki James and 
they couldn't help who was put on to the panel. I knew this to be untrue and because of this small 
unnecessary deception, I remain suspicious of the entire project at this point. 



VRS Data Breach Aug 2017 


We have strict protocols for who has access to the VRS and the different levels of access depending on 
your job here at SBE. When you log into VRS, you are immediately presented with a security banner 
(Attachment #7) and an icon authenticator, to ensure that you are an authorized user and that you 
understand what you can and cannot do on the system. 

In August Steve Spisak came over to our office. He was visibly upset about something and started to 
vent to Maryellen and I, in her office, about something that had just happened over at the SOS office. He 
stated that he was called by the capital police and asked to move his car from where it was parked. 
Apparently, he had been given a parking spot by the SOS many years ago. Steve went up to the SOS 
office and talked to someone there, I think he said Lindsay, but cannot be sure. He was told that they 
had hired someone new to the SOS staff and that the new person would need his parking spot. 

This did not sit well with Steve, who is in his 70's, and would now have to walk a great distance to get to 
his office there. As Steve was venting to us he mentioned, "I can't believe they have done this to me" 
and then started talking about all the decades he has worked for the office of SOS, etc. During this rant 
Steve mentioned, "Especially after all of the things they've had me do for them". 

I asked Steve, "like what things"? Steve replied with, "I've done a lot of software work for them an many 
projects". Then he said, " and other things, like the times they had me come over here and download 
data for them." This peaked my curiosity and I then asked him, "what types of data?" Steve said, "Voter 
registration data." I asked him again to be sure I had heard him correctly, "what types of data?" Steve 
replied with, "All kinds of data, like during their elections, they would ask me to come over here and get 
data for them." I asked Steve how many times this had happened? Steve replied, "Probably 3 or 4 times 
... every time they were running". I asked, " Is they the SOS ?" Steve replied, "Yes". 

I also asked, "Why didn't they get the data like everyone else got the data?" Steve replied with, "Well, 
they said they paid for the data already and that I just needed to come over and get it, so I did." I asked 
Steve, "Well, if they paid for the data, they would have been given a disk by Sheila like everyone else?" 
Steve started realizing at this point that there was probably about to be a problem and stopped 
answering my questions. 

There are several problems with this situation. For starters, there is an established protocol for people 
that want voter registration data. If you want data and you are a candidate, you submit a "Request for 
Data" form that is either approved or denied by the State Board of Elections, depending on your 
eligibility criteria. If you are approved you pay a $450 fee for each request. Upon receipt of the fee, you 
receive a disk containing only the data that was requested. (There is one payment of $450.00 on record 
by the SOS campaign, but only one). 

There is also the issue of data security and privacy laws. There is data that can be released and data that 
cannot be released and following the process allows our staff members to ensure that nothing leaves 
the building that shouldn't, in any format. Data that is released is documented, recorded and tracked 
through every step of the system to ensure that everything was done properly. 



When the data was taken out of this building on a thumb drive, that trust was broken. We have no way 
to know what was on it, where it went or what it was used for. For all we know, it could have been the 
entire data base. I don't think that is was. But that's the point, because it was taken in this manner, I just 
don't know, and actually, we will never know for sure. 

This is wrong on so many levels it is hard to describe them all, but in particular this worries me because 
if the data was copied and then shared between machines it could be picked up by someone nefarious 
and broadcast to the world. It would then appear as though the SBE was hacked or careless with the 
entrusted state VR database. Either of these situations is bad for everyone involved, but especially for 
those of us who safeguard this data on behalf of the people of Kentucky. 


Website 11 Oct 2017 

All of us from SBE who were in attendance at the September board meeting were shocked to discover 
that the SBE was receiving a new website. This website took me completely by surprise as there has 
been no discussion of launching a new SBE site, either in our office or from the SOS office. 

Maryellen and I discussed this and she told me that she had been told that the SOS was reviewing 
content for the new website earlier in the year, but she had thought they were talking about the new 
website that they had insisted our developers create the summer before. 

When asked about this new website, SOS staff said they had been working on it for the last year. 

In other words, another agency had been working on a website, for our agency, for an entire year. A 
entire year without even one discussion with our agency about the design or content or even that it was 
being done at all. 

On the morning of October we were notified by the SOS media director, Bradford Queen, that he 
would be coming over that afternoon to discuss the new website. Maryellen told me, Aaron Gabhart 
and Sandy Milburn to be at the website meeting. We sat in the meeting that afternoon as Bradford 
Queen told us that they were launching the website the next morning. 

This again took us by complete surprise and Maryellen asked how they could possibly launch a "State 
Board of Elections" website without us even looking at it? 

Bradford said that we could "look at it now". Maryellen stated to Bradford that she was a little shocked 
by this and it seemed like we would have been in communication well before the eve of the website 
launch and press release to ensure the website had no errors. Bradford replied to Maryellen saying 
"That's why I am here now". 

I then told Bradford that this entire situation seemed inappropriate to say the least. I asked him why the 
SQS office would make a new website for SBE, especially after I've been trying to update and/or create a 
website for the last three years for my agency and have been consistently told "no". Bradford told me 
that the reason they had made this new website was because they knew how busy we had been over 
here, and they wanted to take some of the burden off our shoulders. 



I told Bradford that while we are very busy at the State Board, I am a very experienced manager, more 
than capable of successfully running multiple projects at one time, hence the notbook full of website 
design notes and multiple meetings with Kentucky Interactive. Bradford then stated again that "we 
know how busy you are, so we decided to do it". 

I then asked Bradford who had the administrative rights to our website. Bradford said that we would 
share administrative rights. I asked him why the SOS would have admin rights to our website and he 
said it was so that he could make changes as well. Prior to this the SBE website was controlled solely by 
the SBE staff. I then turned to Maryellen and told her that in my opinion "we should not launch this 
website tomorrow until we work out who is in control of this website and until we have had a chance to 
thoroughly examine every page of content". 

I then excused myself from the meeting. The website was launched the next day with no regard for our 
needs or opinions or expertise. Very predictably, the following week has brought many major content 
errors and data omissions that we could have easily caught and fixed if given the common courtesy of: 

1) Knowing we had a new web site under development. 

2) Being allowed to decide what our agency needs and wants on our own website. 

3) Having a decent amount of time to proof and test the new site. 


Budget Meeting 16 Oct 2017 

As I was driving home to Elizabethtown, on Oct 16th around 5:30, I received a text from Katrina Beckley, 
asking if I was still at work. I replied no, that I was driving home. I then received a phone call from 
Katrina. I could tell that was very upset by the shakiness of her voice. I asked her what was wrong. She 
said she had received a phone call earlier in the day from Michelle Starkweather (SOS/SBE HR) 
requesting a budget meeting. 

She said she had told Michelle that wouldn't be a problem and to come over later in the afternoon. 
Katrina also told me that she thought this was strange because Michelle had just been over, the week 
before, going over the budget and that everything had been sorted out then. When Michelle arrived, 
she went into Katrina's office and shut the door. She asked Katrina if the meeting could be confidential. 
Katrina told her yes, it could be, unsure of what the meeting was about. At that point Michelle sat her 
phone on Katrina's desk and sat back in her chair. Katrina said she thought it was odd that she would 
set her phone on her desk and then sit several feet back in her chair, and she wondered then if Michelle 
might be recording their conversation. 

Michelle then told Katrina that she shouldn't feel that she should have to answer her questions just 
because she had been given a pay raise the previous month. Katrina told me that this initial statement 
had made her feel very uneasy. 



The next question that was asked to Katrina was, "Is anyone over here scared of Matt?" Katrina asked 
her to repeat the question because she wasn't sure she heard her correctly, and Michelle again asked 
"Are people over here scared of Matt?" Katrina told me that she replied "No, I don't know of anyone 
that is scared of Matt. Usually everyone goes to Matt if they have a problem." 

Michelle then asked Katrina "Does Matt run the staff meetings, and if he does, does he let people talk?" 
Katrina replied with "Usually Maryellen runs the staff meetings, but if Maryellen is away. Matt does and 
everything goes fine." Michelle then asked, "Are staff meetings going better now that we are sending 
Mary Sue over here?" Katrina replied "Mary Sue usually just sits here taking notes, but yes, they seem 
to be running the same as always". 

Katrina then told me that what was said next "made her feel really uneasy". Katrina had previously told 
Michelle that she had accidentally deleted a folder off of her phone that had contained pictures of her 
vacation. She had told Michelle about this in the April/May timeframe, while they were sitting on a 
panel together trying to hire a new financial person for the SOS. She had mentioned to Michelle that 
the folder got deleted because she was trying to delete an attachment that I had sent her in an email 
that she accidentally saved to her picture folder. When she deleted what she thought was the 
attachment, it actually deleted the entire folder of pictures. 

Katrina told me that she had forgotten that she had even mentioned this to Michelle back then. 
However, Michelle's next question to Katrina was "Do you think Matt sent you some sort of attachment 
with a virus to intentionally wipe out your phone?" 

Katrina replied "No, absolutely not. I accidentally deleted the wrong item." Katrina said there were a 
few more questions, but she couldn't remember what they were because the entire situation had 
stunned her. 

Michelle left the building after the meeting and Katrina said she was too nervous to mention anything 
about this meeting inside the State Board of Elections building. At this point I realized that the SOS 
office may be using Michelle Starkweather to build a packet on me for possible termination. I thanked 
Katrina for calling me and letting me know about this event and apologized that this had happened to 
her. I called Maryellen to inform her of what Katrina had just told me. 

The next day Katrina informed me that she had thought long and hard about what had taken place the 
previous day and had decided that it was completely inappropriate. She then informed me that she had 
decided that she was going to make a formal complaint. 



